Manage privileged objects in CyberArk PAM - Self-Hosted
CyberArk Identity supports managing privileged accounts and objects in CyberArk Privileged Access Manager - Self-Hosted. This topic describes how to configure CyberArk Identity to authenticate to PAM - Self-Hosted REST APIs. These APIs can leverage the CyberArk Identity System for Cross-domain Identity Management (SCIM) server to manage objects in PAM - Self-Hosted.
SCIM endpoints facilitate the integration of IGA platforms that comply with SCIM clients, such as SailPoint, to simplify and automate the lifecycle management of privileged accounts. SCIM uses CyberArk Password Vault Web Access (PVWA) to manage objects in PAM - Self-Hosted without requiring a VPN connection.
The CyberArk OIDC Trust app that was used for this integration in previous releases has been deprecated. Do not attempt to use it. It will be removed from the Identity Administration portal in a future release.
Before you begin
When integrating PAM - Self-Hostedwith a third-party IGA application, start by performing the steps in Set up SCIM for PAM - Self-Hosted. When you reach step 2-2, return to this topic to configure CyberArk Identity.
When you configure the SCIM server, make sure you include an OAuth2 Client app to access the SCIM server with the scope scim*. This is described in Configure the SCIM server
Before you configure CyberArk Identity, you need the following:
-
PAM - Self-Hosted Vault updated to version 12.1 or later
- PVWA (Password Vault Web Access) component in PAM - Self-Hosted updated to version 12.2 or later
-
URL for the PAM - Self-Hosted instance (not the PVWA sign-in URL)
-
CyberArk Identity Connector version 21.7 or later with the API Proxy Service enabled. This enables CyberArk Identity to invoke the corresponding PAM - Self-Hosted REST APIs through the secure, VPN-less tunnel. See Install the CyberArk Identity Connector for more information.
-
Do not use the following characters in usernames when integrating with PAM - Self-Hosted:
Unsupported characters for usernames Character
Description
?
question mark
<
less than
>
greater than
*
asterisk
"
double quotation mark
/
forward slash
\
backslash
Configure CyberArk Identity integration with PAM - Self-Hosted
Step 1: Create a service account for the Vault integration
-
In the Identity Administration portal, go to Core Services > Users and click Add User.
-
Enter the name of the service account user in the Login name field. Enter an email address and display name.
-
Create a password for the service user.
-
Select Is service user and Is OAuth confidential client.
-
Click Create User.
Step 2: Create a role for the Vault integration
The service user must have a role with permission to the OAuth2 Client app used to access CyberArk Identity SCIM APIs for the IGA-PAM - Self-Hosted integration. See Configure the SCIM server for more information about configuring CyberArk Identity as a SCIM server and creating the service user.
-
Go to Core Services > Roles, then click Add Role.
-
Enter a unique name for the role and click Save.
-
In the role you just created, go to the Members tab. Click Add and add the
identity-privilege-integration-user$service user. -
Go to the Administrative Rights tab and add Vault Management.
-
Click Save.
Step 3: Configure CyberArk Identity
-
In the Identity Administration portal, go to Settings > Integration > Vault Configuration.
-
In the PVWA URL field, enter the URL for the PAM - Self-Hosted instance (not the PVWA sign-in URL).
- Select a CyberArk Identity Connector to use with this service. Choose either Any available connector or a specific connector from the list.
- Click Save.
Step 4: Configure the Vault
-
Download the following CyberArk Marketplace scripts to a server that can communicate with PVWA.
Configuration scripts Script Download Create SCIM service user
https://cyberark-customers.force.com/mplace/s/#a352J000000aft4QAA-a392J000002OyRKQA0
Identity and PAS integration configuration
https://cyberark-customers.force.com/mplace/s/#a352J000000afGWQAY-a392J000002OgE6QAK
-
In PowerShell, go to the directory where the scripts are located and run the command to create a SCIM service user:
.\CreateSCIMServiceUser.ps1 -PVWAUrl <PAS-PVWA-URL>
where <PAS-PVWA-URL> is the URL for the Password Vault Web Access instance. For example:
https://example.acme.com/PasswordVault
-
When prompted, enter your PAM - Self-Hosted admin credentials.
The script creates a SCIM service user.
-
Run the configuration script. In PowerShell, run the following command:
.\IdentityConfiguration.ps1 -portalUrl <PAS-PVWA-URL> -cyberArkIdentityMetadataUrl <CYBERARK-IDENTITY-METADATA-URL> - cyberArkIdentityClientId __idaptive_cybr_user_oidc
Command parameters Parameter
Description
portalURL
URL for PVWA.
For example:
https://example.acme.com/PasswordVaultcyberArkIdentityMetadataUrl
Tenant URL in the following format:
https://<your_tenant_url>/__idaptive_cybr_user_oidc/.well-known/openid-configurationFor example:
https://abc0123.id.cyberark.cloud/__idaptive_cybr_user_oidc/.well-known/openid-configurationcyberArkIdentityClientId __
idaptive_cybr_user_oidc
-
When prompted, enter your PAM - Self-Hosted admin credentials.
-
Add
identity-privilege-integration-user$as a Safe member to the Safes that you want to manage with CyberArk Identity. See Add a Safe member for instructions. -
Grant Safe permissions to the
identity-privilege-integration-user$. Perform the appropriate steps for your environment.Integrate CyberArk Identity with an external Identity Governance and Administration (IGA) solution.Grant all Safe permissions (as a Safe owner) to the
identity-privilege-integration-user$. See Manage Safes for instructions.Manage Safe access with CyberArk Identity Compliance.Grant the
identity-privilege-integration-user$permission to manage Safes and Safe members. See Manage Safes for instructions.
CyberArk Identity configuration is complete.
Step 5: Configure PAM - Self-Hosted to integrate with CyberArk Identity
Return to Set up SCIM for PAM - Self-Hosted to complete the integration.
